Web Service Security

We have developed a webservice and some of the third party out side our client network want to access those .We have to make sure that our Web service should invoked by the correct party .
We thought to create one encription function to encript the password provided by the consumer, now when even the correct party hit our service the password will be encripted send through header of the soap message . When the request comes to server end we decript the password and validate it .

For example lets say the password is p123 . Now client will incorporate some extra text with it lets say XYZ so it will send the password as p123XYZ ,we will make sure that no one know how to convert it to correct password p123 from p123XYZ because decription logic is known to server only . So once the password reaches at server we can apply the correct decription logic and take out the password .

Till now everything was fine . Now question is if somebody in the middle hacked the encripted password .Let say the client application wrongly send the soap XML to some third party and the third party just copied the encripted password and send to actual server .We are not able to understand wheather it is comming from the correct party or a party predending as actual client .

How we ensure that if this encripted password is send to any body but still that party will not be able to hit the web service .

Monoj Roy,


Simplest way is enable the https layer and provide your client a public key.

Thanks,
Pradeep Jaladi

You didn't say which SOAP stack you're using, but all major SOAP stacks support WS-Security - that's what you should be using to secure your WS. You should never encrypt or decrypt a password, but use password hashing instead (which WS-Security supports). WS-Security can also encrypt your message, if you're worried about that in addition to being worried about password security. That would ensure that a stolen password alone can not be used to subvert your WS.

Using HTTPS in conjunction with WS should be considered obsolete with the advent (years ago) of WS-Security - message-level security has advantages over transport-level security.

Thanks for your response and guidance .

In our Web service we have used JAX-WS and using RAD and Web sphere application server .Our Web service is in Top Down approach .

After I googled on WS-Security and specially after going through the URL
webpage I understand
We can implement this using WSS4J but still I need two more input to implement this .
1.I need to know what are the component I need to incorporate in my code to make it run for example we have to write handler,update deployment descriptor in server and may be something in client side as well .
2.How it is ensureing my web service will not be hacked if somebody get access to the request soap xml which actually contain password in its header .

You wouldn't (and shouldn't) be using WSS4J directly. Consult the WebSphere documentation to learn how to use WS-Security with it; the specifics differ from app server to app server.

I took some time to go through some internet docs to configure WS-Security , I am trying to apply the security in Web Sphere application server and using RAD .Now I am getting following issue .


Business Need:
In our development project we have a mechanism to expose some master data as web service. We have to make this web service secure from following three points –

1. This service should be password protected. Username /password authentication.
2. The request and response XML need to be encrypted.
3. When this XML will travel through network no one could change it.

Our Approach:

We are trying to implement WS-Security here to get the above business need. I am getting following fault from soap UI

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <soapenv:Fault> <faultcode>soapenv:Server</faultcode> <faultstring>security.wssecurity.WSSContextImpl.s02: com.ibm.websphere.security.WSSecurityException: Exception org.apache.axis2.AxisFault: CWWSS7337E: Can not find encryption bindings for specified confidential parts for an inbound message in the default bindings. ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@2d772d77</faultstring> <detail/> </soapenv:Fault> </soapenv:Body> </soapenv:Envelope>


Environment
1. Tool- RAD -8.0.4
2. App Server- Web Sphere Application Server 7.0.0.13
3. WSDL-Java code generation -JAX-WS
4. Security Token formats –X.509